The vulnerability and threat landscape in 2016

Vincent Smyth, general manager and senior vice president of EMEA at Flexera Software puts forward his threat and vulnerability predictions for 2016.

Companies will have the power to prevent most hacks before they happen – If they act!

While the volume of vulnerabilities will continue to stay at the current overwhelming levels in 2016, there will be good news for security professionals. The vast majority of vulnerabilities can be patched on the same day they are disclosed to the public – in 2014, out of all the 15,435 vulnerabilities recorded, a full 83 per cent had a security patch available on the day of disclosure.

Flexera Software does not expect significant changes in 2016, meaning it is in the hands of IT teams to patch the vulnerability immediately, before hackers start to exploit them to gain access to business critical data. To accomplish this, operations and security teams will need sufficient insight into their environments to discover and inventory their software and hardware assets, receive vulnerability intelligence whenever vulnerabilities are discovered in those products, and apply the security patch published from the vendor. A vast majority – more than 83 per cent - of vulnerability problems can be solved in this manner.

IoT – Everything connected to the internet can and will be hacked!

Software vendors and hardware manufacturers will need to increase focus on security when they develop their Internet-connected products. The glorious new world of the Internet of Things (IoT) brings with it endless opportunities – and, from a security standpoint, quite a few challenges. From a security perspective there is one overriding rule of thumb to get across to vendors and consumers alike in 2016: No internet-connected device is 100 per cent secure. If it’s connected to the internet, it can be hacked.

As the software producer community and the traditional manufacturing companies are coming to grips with this new era, it will be important for them to attune their devices to security needs:

This includes careful code testing, continuous maintenance, careful mapping of bundled software and verified intelligence about vulnerabilities in these, and ample resources to react promptly and effectively as soon as a vulnerability in the product is reported.

APT attacks targeting and used by government will increase in 2016

We are currently seeing an increase in reports of Advanced Persistent Threats (APTs), and it is safe to assume that the APTs we hear of are only the tip of the iceberg. As such, these organisations will continue to be targeted by increasingly sophisticated attacks – the so-called Advanced Persistent Threat attacks. APTs are designed and executed by professionals who customise exploit kits for attacks. An important tool in APT attacks is vulnerabilities - including zero-day vulnerabilities. As APTs become more widespread, more resources will need to be invested in discovering unknown vulnerabilities, and we should therefore expect a correspondingly high level of zero-days in the next year.

Governmental organisations and corporations critical to a country’s infrastructure will continue to be high-profile targets to criminal organisations and nation states wishing to cause damage to other nation states and their critical infrastructure, in 2016.

Bundling jeopardises security: IT pro’s need to get better visibility

Vendors are increasingly bundling their products with additional software, such as open source applications and libraries, complicating the customers’ chance of knowing which products are in fact present on their systems. IT security and operations professionals will have to improve their handling of the opaque area that is bundling in 2016.

The consequences to security caused by vendors bundling their software with open source libraries caught the IT community completely unprepared back in 2014 when the Heartbleed vulnerability and subsequent security releases in the open source library OpenSSL, made the IT community realise how all the shared code complicates security tenfold. In addition to known software vulnerabilities in known products in the infrastructure, IT Pro’s therefore need to investigate and map the third-party applications bundled with the products they use in their environment, and ensure that they stay apprised of any vulnerabilities that affect them.

Device manufacturers will become better at pushing security updates

As the IoT expands, hardware and software manufacturers will need to improve their collaboration on security, and work together to issue patches and push updates directly to all devices. On the back of the Stagefright incident, a series of high-severity vulnerabilities which affected nearly all Android devices in 2015, both Google and some of the phone vendors behind Android devices are already upping their focus on how to get security updates pushed from software vendor and out to end user devices.

The entire Android vendor community is rallying to improve and will hopefully become better at issuing security updates to their products more proactively than they have in the past.